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Abstract. We present probabilistic algorithms for the problems 

of finding an irreducible polynomial of degree n over a finite 
field, finding roots of a polynomial, and factoring a polynomial 
into its irreducible factors over a finite field. All of these 
problems are of importance in algebraic coding theory, algebraic 
symbol manipulation, and number theory. These algorithms have a 
very transparent, easy to program structure. For finite fields of 
large characteristic p, so that exhaustive search throng Zp is not 


feasible, our algorithms are of lower order in the degrees of the 


polynomial and fields in question, than previously published algorithms. 


Research on probabilistic algorithms in finite fields was work 
conducted during 1976 while at MIT. 
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PROBABILISTIC ALGORITHMS IN FINITE FIELDS 


Michael 0. Rabin 


In this paper we utilize the method of probabilistic 
algorithms to solve some important computational problems 
pertaining to finite fields. The questions we deal with 
are the following. Given a prime p and an integer n, how 
do we actually perform the arithmetical operations of 
E = GF(p"). Given a polynomial f(x) of degree m with coef- 
ficients in E, we wish to find a root ae E of f(x)= 0, if 
such a root does exist. This is the root-finding problem. 
Finally, given a polynomial f(x) e« E[{x], we want to find the 
factorization f = £icfase eect, of f into its irreducible 
factors £; (x) e E[x]. This is the factorization problem. 

All of the above problems are of great significance 
in algebraic coding theory, see [ 2 ], in algebraic symbol 


manipulation, and in computational number theory. 


Pe 


Algorithms for the latter two problems are given in Berle- 
kamp's [2 ] and more completely in the important paper [3 ] 
which culminates his own work on the subject and also 
incorporates important ideas of Collins, Knuth, Welch, 
Zassenhaus, and others. 

Berlekamp solves the root-finding problem for 
f eGF(p"), deg(f) = m, by reducing it to the factorization 
problem of another polynomial F(x) ¢€ 2, [x] (2, = GF(p), 
is the field of residues mod p), where deg(F) = mn. The 
problem of factoring F(x) ¢ Z, [x] is solved by reducing it to 


finding the roots in 2. of another polynomial G(x) ¢ Z,(x). 


Pp 


Thus everything is reduced to root-finding in 2.. For 


root-finding in a large Zo? a case in which se is not 
feasible, Berlekamp proposes a probabilistic algorithm in- 
volving a random choice of d « Z5° The article [3] does 
not contain a proof for the validity of this algorithm. 

. Our starting point is to solve directly the problem 
of root-finding in GF (p") = E for polynomials f ¢« E[x], 

by a probabilistic algorithm which generalizes to arbitrary 


finite fields Berlekamp's algorithm for Z,.. The validity 


P 
of the algorithm is based on Theorem 4 which has a 


surprisingly simple proof. 


We now base factorization of a polynomial f(x) ¢ 2, [x] 
on root-finding for the same f. Namely, if f(x) has ir- 
reducible factors of degree m,h, (x) ¢€ 2, [x], l<i<k, then 
the product D(x) = Mh, (x) of these factors can be readily 
found by computations in Z, (x). The roots of D(x) are 
in GF (p™) and the above root-finding algorithm allows us 
to directly find such a root a € GF(p™). ‘The minimal 
polynomial h(x) € Z,[x] of a, which is-of degree m, can be found 
by one of two methods given in Section 3. Now, a is also 
@ root of some hy (x) of degree m, so that h(x) = h, (x), 
and we have found one irreducible factor of f(x). An 
iteratian of this process finds all the irreducible factors. 
The same algorithm works for factorization of polynomials 
£(x) e€ E(x), where E is any finite field, by use of roots 
of the polynomial f(x) itself. 

In terms of the number of Z,,-operations (additions 
and multiplications mod p, of numbers 0<a, b<p) used, our 
algorithms are of complexity proportional to log p. Thus 
they are feasible even for fields GF(p") where p is so 
large that exhaustive search through Z, is not possible. 

Leaving out the factor log p and factors of order 
logn+log logn, the algorithms presented here have the 
following complexities. A root of f(x) « GF(p"), deg f =m, 


ao4o 


can be found in 0 (n2m) Z,,-operations. A polynomial 
f(x) e€ 2,{xl, deg(f) =n, can be factored in O(n?) ope- 
rations. 

If the arithmetical operations of the field E = GF(p™) 
are wired into circuitry so that an E-operation can be 
viewed as a unit, then the above root-finding algorithm 
uses O0(nm) operation. Under the same assumption for the 
fields GF(p*), i<n, the factorization of f(x) uses 0(n?) 
operations. | 

| The root-finding and factorization algorithms for 

the case of large p, given in [ 3 ] are of higher order in 
n. Roote-finding for f(x) € GF(p™), deg(f) =n, uses 

0 ( (nem) om) Z,~operations. Factorization of f ¢« 2, (xl, 
deg(f) =n, uses 0(n4) 2,~operations. 

If p is small so that it is practicable to find a 
solution in 25 of f(x) = 0 by search, then a more careful 
comparison between the algorithms given here and the non- 
probabilistic algorithms presented in [3 ] is necessary. 
The latter algorithm for factorization will run in time 
0(n) but there is an 0(p) factor. Our algorithm will 
run in 0 (n°) (in the non-preprocessed case) with a factor 


of O(logp). Thus for very small p, exact comparisons will 


a 


depend on the numerical constants involved. However, 
the algorithms given here are sufficiently fast in all 
cases to justify their use even for small values of p. 
The probabilistic nature of our algorithms does not 
detract from their practical applicability. The basic 
probabilistic step is a random choice of an element 6 ¢€ E 
which is then used in an attempt to split a polynomial 
f(x) into two factors. We prove that for any fixed finite 
field E and any fixed f(x), the probability of success 
by such a random choice is at least half. Thus the ex- 
pected number of such steps leading to success is at most 
two. Furthermore, in an algorithm involving many such 
steps, the probability of a run of bad random choices 


‘leading to a significant Geviation from the expected total 


number of steps is very small. 


1. ARITHMETIC OF GF(p™) 


Let p be a prime, n an integer and g = p”. As 
customary, denote by GF(q) = E the unique finite field of 
q elements. In particular GF(p) = z5 is the field of 
residues mod p. We want to actually compute with elements 


of E. For Zz = <{0,1,...,p-l1}, + ,*>, the operations are 


_ simply addition and multiplication mod p. If 


n n=-1 


(1) g(x) =x” + QnnpX tee tAy 2, (xl, 


is an irreducible polynomial of degree n , then 
GF(p™) & 2, [x] /(g(x)) 


where (g) is the ideal generated by g. Given such a 
g(x), E can be represented as the set of n-tuples of ele- 


ments of 25° Let 8 = (bo uyreee Do) » Y = (CripreeerSg) - 


Addition is component-wise. To multiply, form 
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n=-1 


n-1 
Poet Pg) tes +...+Cp) 


d(x) = (b, 4% 


and find the residue 6(x) = do: nol, +d, of d(x) when 


1* 0 
divided by g(x). Then Bry = (d._yr-0+1do)- 
Thus we need a method for finding an irreducible poly- 
nomial (1). To test for irreducibility we use the following. 
LEMMA 1. Let Lrreeeeky be all the prime divisors of n and 
denote n/2,; =m,. A polynomial g(x) ¢€ z,, [x] of degree n 
is irreducible in Z,, (x) if and only if 


n 
(2) g(x) | (xP =x), 

. , ms 

(3) (g(x), xP -x) = 1, l<ick, 

where (a,b) denotes the greatest common divisor of a and b. 
Proof. Assume that g(x) is irreducible, then every root 


n 
a of g(x) = 0 lies in E = GF (p™) . Hence a? - a = 0, and 


(x-a) | (x? =x) « Since g(x) has no multiple roots, (2) follows. 
Since g(x) is irreducible of degree n, it has no 

roots in any field GF(p"), m<n. This directly implies (3). 
Assume conversely that (2) and (3) hold. From (2) it 


follows that all roots of g(x) = 0 are in E = GF(p") . 


Assume that g has an irreducible factor Jy (x) of degree 
m<n. The roots of gy (x) lie in GF (p™) which is generated 
over 25 by any one of these roots. Hence GF (p™) GE and 
min. Consequently m|m for one of the maximal divisors 


m. 
m; of n, and all roots of gy (x) lie in GF(p aa But then 


m, 
i 
(g(x), xP -x) is divisible by g, (x) contradicting (3). 


Thus g(x) must be irreducible. 


In computing the number of operations required to test 
a given polynomial for primality we count, here and else- 
where in this article, in terms of arithmetical operations 
of Z° To obtain a bit-operations count, we should multiply 
our results by B(p) = the number of bit operations required 
to multiply or divide two numbers of log p bits. As is 
well known, B(p) can be taken to be Q(logp log lop p). 


In order to shorten subsequent formulas we introduce 


the following 


Notation: L(n) = log n*log log n 


n 
The computation of (g(x) ,xP -x) is executed by computing 


n n 
xP modulo g(x). As is well known, xP can be calculated by 


=9= 


at most 2-log p” multiplications mod g(x). Since we compute 
mod g(x) we never deal with polynomials of degree greater than 
2n. 
It is shown in [ 4.] that multiplying two n-degree 
polynomials with coefficients in any finite field can be 
done by 0(n log n log log n) = O(n L(n)) field operations. 
Consequently division and finding remainder can be done in 
O(nL(n)) operations, see [ 1 ,p.288]. Thus the basic step 
of computing r(x)*s(x) mod g(x), where deg (x), deg (s)<n-1, 
uses 0(nL(n)) operations. The computation of xP uses 
0 (n7L(n) log p) operations. 
To test (3) we need k<log n computations of the above 
type so that the total number of operations is 0 (n?1ognL (n) log p). 
The search for an irreducible polynomial of degree n is 
. based on the following result which is a weaker form, suf- 
fucient for our purposes,of Theorem 3.3.6 [2]. We give a 


proof not utilizing generating functions. 


LEMMA 2. Denote by m(n) the number of different monic 


polynomials in 2, [x] degree n which are irreducible. Then 


(4) n n/2, 


sont teh Reece ERE Ad EIT art teeters go Bret ER ata 
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(5) a. m(n) 
n— 
Pp 


2 
n 
Note that p” is the number of all monic polynomials of 
degree n. | 

Proof. Let Gy (X) p00 oy (X), & = m(n), be all the pair- 
wise different irreducible monic polynomials of degree n. | 
Any element a ¢€ E = GF (p") which is of degree n over 25 
satisfies exactly one equation g, (x) = 0 ana each such 
equation has exactly n such roots. If HCE is the set 


of elements of degree n over Z_, then c(H)/n = m(n) . 


P 

An element o « E is in H if it is not in any proper 
maximal subfield Grip +) C E,where ms is a maximal divisor 
of n (see the notation in Lemma 1). The cardinality of such 
a subfield is at most pn/2 and the number of these maximal 


subfields is smaller than log n. Thus p" - pa/2 


log n < c(H) 
from which (4) and (5) follow. 

In [ 2 ] Berlekamp remarks that Theorem 3.36 means that 
a randomly chosen polynomial of degree n will be irreducible 
with probability nearly 1/n, without suggesting to base an 
algorithm on this fact. In the general spirit of the present 
paper, we solve the problem of finding an irreducible poly- 


nomial by randomization. 


=11- 


The algorithm for finding an irreducible polynomial 
proceeds as follows. Choose a polynomial (1) randomly and 
test for irreducibility; continue until an irreducible 
polynomial of degree n is found. Lemma 2 ensures that 
the expected number of polynomials to be tried before an 
irreducible one is found is n. Thus the expected number of 
operations (in Z,) for finding an irreducible polynomial 
of degree n is 0 (n?lognt(n)* log p). 

The root-finding algorithm for GF(q) assumes that the 
arithmetic of this field is given, so that the question of 
finding an irreducible polynomial actually does not arise. 
In the factorization of a polynomial of degree n we may 
need computations in fields crip 4), 1<i<f%, such that 
= n; <n. The count of all operations, including the pre- 
computation of the G,,, (x), will use the following. 

LEMMA 3. Let nis lcice, satisfy = n; <n. The expected 
number of operations used for finding irreducible poly~ 
nomials h; (x), deg (h,) = n,, l<ix<t, is 0 (n1ogn (n) log p). 


Proof. 


r n? “logn,L(n,)log p < n*log n(n) logpt n, < 


n? logn (n) log p. 


JA 
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2. ROOT*FINDING IN GF(p") 


Let E = GF(q) be a fixed finite field, and f(x) ¢ E[x] 
be a polynomial of degree m. We wish to find one (or all) 
of the roots a ¢« E of f(x) = 0. We give a probabilistic 
algorithm for this problem, which is a generalization of 
the algorithm given in Berlekamp [ 3 ] for prime fields 250 
to arbitrary finite fields E. Our proof for the validity 
of the general algorithm of course applies also to the 
spectal case of 250 which is given essentially without 
proof in [3]. 

Assume for the time being that q= p" is odd. We 
shall indicate later how to treat the important case q = 27 


Form the g.c.d. 
£1 (x) = (£(x), xt 1). 


If £, (x) = 1] then f(x) has no roots in E. In general 


where the a; are all the pairwise different roots in E of 
f(x) = 0. 


Now 
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(6) xt ty = (x41) (x41) , a = a5 : 


The next natural step is to try (£, (x), x41), If some 


of the a, satisfy of-1 = 0 while others satisfy aged = 0, 


then this g.c.d. will be a true divisor of £1 (x), and we 
will have further advanced towards the goal of finding a 
linear factor x-a, i.e. a root, of f(x). In general we are 
‘not guaranteed that the g.c.d will be different from 1 or 
£, (x). However, this advantageous situation can be created 
by randomization. 

Call a,8 ¢ E, a # O, 6 #0, of different type if 


ae # 8%, where d = ai. 


THEOREM 4. Let a,,05 € E, Oy # Qo 


(7) q5+ = c({6| SeE, ayté and a,t+é are of different type }) 


Proof. The elements ay +6 and ao+é6 are of different 


type if and only if neither is zero and 


ao) 1a, +8y4 
(a3 # 1; hence (st) za -l,. 


The equation xt = -] has exactly d = a5 solutions in E. 
a, +6 

Consider the 1-1 mapping $(6) = ats ° As § ranges over 
2 


E -{ “ao}, ¢(6) ranges over E - {1}. Thus for exactly aot 
values of §, (6) = -l1, This implies (7). 
COROLLARY 5. Consider for § ¢ E the g.c.d £,(x) = (f£, (x), 


(x+§)4=1). We have 
(8) 5 < Pr(é| 0< deg £ , (x) <deg £,) 


Proof, The common roots of £, (x) and (x46) T2 are those 


OE 


(£, (a) = 0) for which (a, +8) %=2 = 0. By Theorem 4, 
with probability 1/2, a,+6 has this property while ao+6 
does not, or vice-versa. This entails (8). Actually the 
probability is nearly 1-1/2", where deg £,=k, but we cannot 
prove this. 

Root-finding algorithm. Given f(x) of degree m, 
compute £, (x). Choose 6 € E randomly and compute £5(x). 


If 0<deg f, < deg fy then let £5 (x) = £ 5 (x) or fo (x) = 


6 
£i/f 50 according as to whether deg f, < 1/2 deg f£, or not. 

If fs = 1 or f. = fy choose another 6 and repeat the previous 
step. By Corollary 5, the expected number of choices of 


6 €¢ E until we find £, (x) is less than 2. 


al5= 


Since the degree is at least halved in each step, 
after at most log m steps we find a linear factor X~ Os 
of f(x), i.e. a root. 

The number of (field -E) arithmetical operations re- 
quired for finding £, (x) and £4 (x) is 0(nem L(m)log p),where 
E = GF(p™). Since deg £o< >™, it follows that the number 
of operations for finding £ (x) is at most half the number 
of operations for finding £5; and similarly for f, etc. 
Thus the total number of E-operations used for finding a 
root of f(x) is still just 0(n-mL(m)log p). 

In terms of operations in Zo! each E-operation re- 
quires 0(nL(n)) operations with residues modulo p. Thus 
the total (expected) number of 2, operations for root- 


finding is 
(9) 0 (n? mE (m) L(n) log p) 
3. FACTORIZATION OF POLYNOMIALS 


Let f(x) e€ Z, [x] be a polynomial of degree n which we 
want to factor into its irreducible factors. We may assume 


that f'(x) (the derivative) is not zero. For otherwise 


f(x) = gtx)? where g'(x) # 0 and this g is readily 
found. For example, x?P4a xP + bs (x2+a x + b)P, By 
calculating (f(x), £'(x)) = h(x), and f/h,we have reduced 
the problem to factoring a polynomial with no repeated 


factors. Calculate 


m 
g(x) = (f(x), xP -x) , smn. 


Since GF(p") consists exactly of all the elements of 
degrees i, ilm, over 24° we have that Fin (*) is the product 
of all irreducible factors h(x)|f(x) of degrees i|m. 

Choose the g,, # 1 of lowest index m. If deg (9,,) = 2, 
then 


Sn (2) = hy (x) .. hy (x) » Kem=@e , 


and each h, (x) is irreducible of degree m. All roots of 


Bn (%) are in GF(p™). Find a root a of Tn (*) = 0. This 


root is a root of a unique h, (x). 


To find this h,; (x) form the powers 


(10) l, Apoves a. 


Thase elements of GF(p") are m-component vectors with 


coordinates in 25° Solve the system of linear equations 


i 


m-1 m 
(11) by + byat... bi-1% +a =0, 
where the b., O0<i<m-1, are the unknowns and the coordinates 


of the at are the coefficients. Now, h, (x) = 


Another way for computing h, (x) was suggested by M. 
Ben-Or. Note that h,(x) is irreducible of degree m. Since 
¢(—) = &P is an automorphism of GF(p") over the field Zoe 
the conjugates of q are 


m=1 
(12) ao = a, ay = ee On-1 = aP ° 
The polynomial h, (x) is now obtained by the calculation 
in GF(p™) of 


(13) hy (x) = (xX~ap) (x-a,) eve (x-a,,_4) ° 


Using either one of the above methods, one irreducible 
factor of Gq (X) (and of (x)) is found.Next we find a root 


6 of Bin (%) Any (x) and another factor h, (x) of Tin 6%) + and so on. 
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Proceeding to factor the other g, (x), we choose 
g(x) #1 with the lowest index m<r., If mfr then g,(x) is 
the product of irreducible factors of degree r. If mir 
then Sn! Ix" and g,/g,, is the product of such factors. 
Factor 9g, (x) or S/T into its irreducible factors of 
degree r by one of the above methods. 


In general, let mM, <M5<. ..<m, <n be the indices for which 


t 


g. $1. After i-l steps we found D, (x) ,.-+,/D,_, (x), where 
i 


m 
D, (x) is the product of all irreducible factors of degree 
m, of f(x), and each D, (x) is factored. (Note that 

D, (x) = 1 is possible despite on, # 1. For example, f (x) 
may have irreducible factors of degrees 2 and 3, but no 


irreducible factors of degree 6. In this case Dz (x) +1, 


Dg (x) #1, De (x) = 1, and gg (x) = Do(x)D3(x).) Now, 


(14) Dy (x) = gi (x)/ 


TT. D, (x). 
i ms fm; 


m.<m. 
j 1 


If D,(x) ¢ 1 and m,<deg D, (x), then factor it by the above 
method. If m, = deg D, (x) then D, (x) is already irreducible 
of degree M;, and f(x) has exactly one irreducible factor 


of this degree. 


-19- 


4. COUNTING OPERATIONS 


Let us now count the number of 2,~operations re- 
quired to factor a polynomial f(x) ¢€ 2, [x] of degree n. 
The cost of getting rid of multiple factors of f(x) and 
of discovering the factors D, (x) defined in Section 3 
is majorized by the cost of factoring the D, (x), so that 
we confine ourselves to estimating the latter cost. 

We have f(x) = Dy (x) .. Dy (x), where deg D, = d,. 


Each D, (x) = By OO) Seles B iy (x), where deg hy, = mj, 


and ay is irreducible. The algorithm of Section 3 seeks 


k, roots Byres By of D, (x) = 0, one for each factor 
i 


his (x), so that hy 4 (85) = 0. Using the operation count 


(9) for root-finding, where n = m, (because 


m 
BS ¢ GF(p 4), 1<5<k;), and deg. D, = dir we get 
O(maa, L(d;)L(m,) log p) for finding one root, say By. 


We then find h; (x) by (11) or (13). Next we find a root of 


D,; (x) /hy, (x), so that we are sure that the root belongs to 


a ys + hii Overestimating by not using the fact that 
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- 2 
deg (D;/h, 1) = d;-m,; etc., we get O(kymsd, L(d,)L(m,) log p) 
for total number of Z,,-operations to find the relevant roots 


Of D(x). Since k,m, = _d, and m,<d, we get 
3 2 
(15) O(d; L(d,)“ log p) 


as a bound on these operations for D,(x). Since n = td, 
we obtain by summation from (15), in the manner of deriving 


Lemma 3, 


(16) O(n? L(n)? log p) 


as a bound on cost of finding all the necessary roots of 
all the D, (x). 

The first method for finding the h, 5 (x) ,once a root 
for each hy 5 (x) is given, employs 0 (m2L(m,)) Z,-operations 
to calculate the sequence (10) of powers of the given root. 
The solution in Zp of the system (11) of m linear equations 
in m unknowns uses 0 (m;) operations which majorizes the 
previous term. Summing over all the hy, (x) and over- 
estimating we get 0 (n>) 2,-operations for finding all the 
hiy (x), lsi<t, 1<j<k,. 


> ee 


We now estimate the operations used in Ben-Or's 


method for computing the hy, (x) from the roots. Using the 


notation of (12) and (13), so that the root is a and 


m 
deg (h,(x)) = mj, we use 0(m, log p) GF(p *+)-multiplications 


to perform the m; raisings to exponent p. Counting z57 


operations, we get 


(17) 0(m? L(m,) log p) 


operations for computing the sequence (12). 
The formation of the product (13) is a computation of 
the polynomial h(x) from its given roots hs ee 


Using the result of [1,p.299 ], and taking into account that 
in a finite field we require 0(m L(m)) (instead of 0(m log m) 
operations to multiply two polynomials of degree m, we get 
that 


(18) 0((m,L(m,))? log m,) 


operations of 2p are used to form each hyy- Since D, (x) 


has k, factor hys(x), 1<j<k;, and deg D, = m,k,, we get 


@22=— 


from (17), (18) the upper estimate 
(19) 0¢(nL(n))2 (10g n + log p)) 


for the z,,-Operations used in Ben-Or's method to find all 
the irreducible factors hy s(x) l<i<t, isjsk,, of f(x), 


once a root of each factor was computed. 


5. SUMMARY OF RESULTS AND EXTENSIONS 


The root-finding method of Section 2 is not applicable 
to polynomials f(x) GF(2") [x]. However, a small modifi- 


cation does work. Instead of x71-1 we use the polynomial 


2 m-1] 
Tr(x) =x + x 4+...+x . 


For a ¢ GF(2") = E we have T(a) 2 = T(a) so that every a is a 


root of T(x) = 0 or of T(x) = 1. Also T(atf) = T(a) + T(B). 


THEOREM 6. If a, #a5, 1145 € E, then 


2n-1 2 o({6| T(Sa,) + T(Sa5}}). 
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Proof. T(éa)) # T(éa,) iff T(S(a,+a,)) $0 i.e. = 1, 


Now a, tas + 0 so that § = § (a, +a5) runs with 6 through all 
8B ¢ E. In particular, for appropriate values of 6, all the 
2n-l roots of T(x) = 1 are obtained. This proves the theorem. 
Based on Theorem 6, we have a probabilistic root- 
finding algorithm for polynomials fe E(x] which is 
completely analogous than the algorithm in Section 2 . 

The factorization algorithms for polynomials 
£(x) € Z (x) given in Section 3 immediately generalizes to 
polynomials with coefficients in a general finite field 
E = GF(q). The operations-count are the same, with E- 
operations replacing Z,~operations. 

We summarize our results as follows. 
1. Finding irreducible polynomials. 

The expected number of steps for finding an ir- 
reducible polynomial g(x) «¢ Z [xl of degree n is 
0(n?log n L(n) log p). Any such polynomial enables us to 
compute in GF(p™).- 


The expected number of Z, operations used to find a 


root in E = GF(p") of a polynomial f(x) ¢ E[x] of degree 
m is 0 (n2m L(m) L(n) log p). 
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If the arithmetic of GF(p") is directly wired into 
circuitry so that an E-arithmetical operation is counted 
as one operation, then the number of operations for 


root-finding is 0(n-em L(m) log p). 


3. Factorization into irreducible factors 

The total number of z,,-operations for factoring a 
polynomial f ¢ Z,, (x) of degree n is 

O(n?1og n L(n) log p) + 0(n°L(n)? log p) + 0(n>) 

Here are included the computations of the necesagary ir- 
reducible polynomials g, (x) needed for the arithmetics of 
the relevant fields GF(p"). The last term represents the 
operations used to solve linear equations under the first 
method. 

If we assume that the arithmetics of all fields GFtp"), 
m<n, are performed by wired circuitry then it is preferable 
to use the second method for computing the factors from the 
roots, based on (12) and (13). From (16) and (19) it fol- 
lows, since each GF (p™) operation is counted as one ope- 


ration, that the number of operations used for factoring a 


ay hae 


polynomial of degree n into irreducible factors is 
0 (n7L(n) log p) + O(nL(n) (log n + log p)). 
The first term majorizes the second term, but we display 


the latter as well since it reflects the structure of the 


algorithm. 
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